NEWS FROM THE LAB - Monday, August 16, 2004

New Mydoom variant being spammed *right now* Posted by Mikko @ 07:16 GMT

There's a fairly large and global spam run going on right now, seeding out a new variant of the Mydoom email worm.

The spammed emails always seem to look like this:

 From: random-email-address
 To: random-email-address
 Subject: photos
 Attachment: photos_arc.exe

The source addresses of the spams appear to be from DSL and cable modem pools, suggesting that the Mydoom gang is using a botnet created with earlier Mydoom variants to send this one out. They've also carefully checked that none of the common antiviruses detect this new variant. We're now detecting this as Mydoom.S with F-Secure Anti-virus.

Also, if you're a sysadmin, you might want to block access to domains www.richcolour.com and zenandjuice.com from your network for a while. This variant tries to download components from these addresses (but the sites themselves have nothing to do with the virus group).